Skip to main content

Lab 5 - User Management and LDAP Installation

In this lab, you will explore user and group management in Linux (Ubuntu) and Unix (OPNSense). You will locate and analyze password, shadow, and group files, manually create a user and group by editing these files, and test SSH access on Ubuntu. Using useradd and groupadd, you will craft another user and switch identities with su. The process will repeat on OPNSense, noting Linux-Unix differences. Deliverables will include a lab report and two new users per system, encouraging your creative problem-solving in a real-world-like setting.

Objectives

  • Understand how users and groups are stored and created in Linux and Unix
  • Manually create users and groups on both platforms
  • Demonstrate an ability to switch between users
  • Docker is installed and running
  • LLDAP is installed, running, and publicly accessible

Stage 1 - Lab Report

The primary deliverable of this lab will consist of a lab report. Instructions for each part of this lab constitute what I expect to see on the final lab report. Complete the following on your Ubuntu machine. At the end of the lab, you will repeat the process on your Unix (OPNSense) machine.

Step 1 - Manually Create a User

Using what you’ve learned, go through the process of manually creating a user by editing these files.  DO NOT use the built-in commands to accomplish this. Document the steps you used to create the user. Make sure to also create a group in which the new user is the only member. Test that you can login to this new user using SSH (You only need to do this last part on your Ubuntu machine).

Be sure not to accidentally create a new user with a UID of "0", as that is the UID of the "root" user. Doing so may result in you locking yourself out of the primary account and being unable to login.

Step 2 - Useradd and Groupadd (And UNIX equivalents)

Now create another user using the useradd and groupadd. Document the commands used. Now, use the su command to switch between these users. Make sure to demonstrate you can swap between these users.

Step 3 - UNIX Comparison

Repeat steps 1 and 2 on your UNIX (OPNsense) machine. Mark down the differences you observe in Unix vs Linux. How are they the same? How are they different?

Please submit this lab report to the Lab 5 dropbox on eClass and continue to the next section.

Stage 2 - LDAP Setup

In this section, we will setup up an LDAP server which will be hosted in a docker container running on our Ubuntu machine.

Step 1 - Installing Docker

Validate that you are able to run sudo docker run hello-world. If it executes as expected, continue to the next section.

Step 2 - Installing LLDAP

Visit the GitHub repository linked here for LLDAP. Inside the README.md file, you will notice it covers installation through several different methods. We will be using the recommended option and installing via Docker.

First, create a directory ~/lldap/ and create the following files inside of it:

  • generate_secrets.sh
  • docker-compose.yml

Be sure to copy the contents of all three files with equivalent names from the GitHub repository.

LLDAP provides a "docker compose" file named docker-compose.yml, given below:

version: "3"

volumes:
  lldap_data:
    driver: local

services:
  lldap:
    image: lldap/lldap:stable
    ports:
      # For LDAP, not recommended to expose, see Usage section.
      #- "3890:3890"
      # For LDAPS (LDAP Over SSL), enable port if LLDAP_LDAPS_OPTIONS__ENABLED set true, look env below
      #- "6360:6360"
      # For the web front-end
      - "17170:17170"
    volumes:
      - "lldap_data:/data"
      # Alternatively, you can mount a local folder
      # - "./lldap_data:/data"
    environment:
      - UID=####
      - GID=####
      - TZ=####/####
      - LLDAP_JWT_SECRET=REPLACE_WITH_RANDOM
      - LLDAP_KEY_SEED=REPLACE_WITH_RANDOM
      - LLDAP_LDAP_BASE_DN=dc=example,dc=com
      - LLDAP_LDAP_USER_PASS=adminPas$word

We'll need to modify those last four environment variables. Run ./generate_secrets.sh and copy the outputs into the LLDAP_JWT_SECRET and LLDAP_KEY_SEED variables respectively. Next, modify the LLDAP_LDAP_BASE_DN variable to be dc=<your_username>,dc=lan. For example, mine is dc=mirom,dc=lan. Finally, modify the LLDAP_USER_PASS variable with an admin password of your choosing.

Also, be sure to modify the following fields to the following:

  • UID=1000
  • GID=1000
  • TZ=America/New_York

Once this has has been completed, run the sudo docker compose up command from within the lldap folder. Docker should now begin pulling the image from the DockerHub repository and running it momentarily. If all goes well, you should see logs that look similar to the following. Shut it down using Ctrl + C after you verify that it's running, so you can execute it as a daemon later.

image.png

Now, execute lldap as a daemon service using the following command: sudo docker compose up -d. This will allow the docker container to execute as a background process. You can stop it at any time by navigating into the ~/lldap directory and running sudo docker compose down.

Step 3 - Making the LLDAP Web UI accessible

In the real world, we would not want to make LLDAP accessible outside the network in this manner. However, doing so for the purposes of this lab makes things somewhat easier for us.

Notice the information under the ports directive inside the docker-compose.yml. You can see that it is exposing and binding port 17170 from the docker container to your Ubuntu machine. If we want to be able to access this from outside the personal private network, we must also port forward this port in OPNsense so that we can access this service in the browser using <your_opnsense_ip>:17170. Refer back to lab 1 for guidance on port forwarding.

Because port 17170 is not a standard port, OPNsense will not have a pre-included "name" for this service. When selecting the port, search for "other", then enter the port number in the box that appears below, like so:

image.png

At this point, you should be able to access the LLDAP Web UI from any computer connected to the CS network (Either a lab computer or through the VPN) on this port. Login using the username admin, and the password will be whatever the value of LLDAP_LDAP_USER_PASS was in the docker-compose.yml file.

Wrapping Up

In this lab, we explored user management and began to lay the groundwork for integration LDAP into our environment. In upcoming labs, we will integrate LDAP with our Ubuntu's OS, as well as with other services which will be hosted through Docker.

Deliverables

  • Lab Report from Stage 1
  • Docker is installed, and the hello-world example works
  • LLDAP is installed and running
  • The LLDAP Web UI is publicly accessible
No Comments
Back to top